Description
Current Behavior
Cannot use CSP to prevent unsafe-eval when using transifex-native.
Expected Behavior
Can use CSP to prevent unsafe-eval when using transifex-native.
Steps to Reproduce
Add Content-Security-Policy header without unsafe-eval enabled such as
Content-Security-Policy: default-src 'self' example.com
Then try to use transifex-native to translate. You receive console error
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' example.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
p.compile @ browser.native.js:2minified code in browser.native.js
return (new (Function.bind.apply(Function, i(i([void 0], n(c), !1), [a], !1)))).apply(void 0, i([], n(u), !1))Resultant Issue, Suggestion
Having to enable unsafe-eval for transifex opens up unsafe-eval for all scripts in your website, which is insecure. I suggest not using messageformat library as a dependency.
Notes
Same issue as transloco jsverse/transloco#364
Problematic line of code: https://github.com/messageformat/messageformat/blob/messageformat%404.0.0-7/packages/core/src/messageformat.ts#L291
const fnBody = 'return ' + compiler.compile(message, this.plurals[0]);